Jared Landin and Karl Kispert suggest strategic frameworks for financial institutions

Alex needed to pack for his trip to the London office, but first he had a few things to check before leaving the bank for the day. He wanted to make sure the bogus account he had established was still accessible and verify that the 34m was there. He wanted to be sure that the money was positioned for problem-free withdrawal in London. As he made the final check on his terminal he thought, 'This is too easy.'

At a recent security seminar, Alex had discovered how it was possible to exploit weaknesses in systems like the one at this bank. He realised that he might be able to use this knowledge to his benefit, and began probing the bank's network. He called the office of the head of customer service for large personal accounts. When the head's assistant answered the phone, Alex explained that IT had performed an upgrade the night before and wanted to make sure she had no problems accessing her boss's accounts.

He asked for her boss's log-on ID and password so he could run some online tests. The assistant thought nothing of this request; after all, the caller did say he was from IT, so she provided him with the information. Within seconds, Alex assured her that his account was just fine and wished her a good day. Alex knew that with this personal access he could create a new account and transfer money into it. Yes, there are checks and balances, but if Alex timed it right, he would be long gone before anyone noticed.
When he arrived in London Alex checked his account to again make sure the 34m was still there. Now came the hard part: getting the money out.

He figured that since it was a high-net-worth account and he had completed a client profile and entered the pertinent information on the database, he should have no problem withdrawing the money.

So he dressed in smart, fashionable clothing; just enough to demonstrate that he had money, walked into the branch and asked to speak to a manager.
The manager greeted Alex and was told that he needed to withdraw 32m.

Alex knew if he only withdrew half of his total account, no one would really question it. And no one did.

Alex explained that he was purchasing an apartment in the city and wanted to pay for most of it in cash. Within a few minutes of verifying the account and Alex's false identity, 32m was handed over to Alex in the form of a bank cheque. The manager wished him well and Alex walked out of the branch, went at once to headquarters, and headed for the chief executive's office.

You see, Alex was not a thief; he was and is a senior IT auditor in the bank's internal audit department. He was testing to determine if there were exploitable gaps in the controls environment. The goal of the exercise was to identify potential areas of vulnerability and correct them before a real thief did exactly what Alex had simulated.

If an effective IT risk management strategy had existed at this bank, Alex probably would not have got as far as he did. There is a strategy, a circle of effective IT management that financial institutions need to develop. The elements of this strategy are necessary to help ensure IT risks are identified, understood and mitigated accordingly.

Circle of effective IT management

Strategy components are interdependent. You cannot monitor a programme you do not have, or mitigate unknown risks. It is vital that all elements of the process be present and that they are properly implemented and supported on an ongoing basis.

IT risk is here to stay. And there is a profound relationship between IT risk and business risk. Since IT is an integral part of the core business, IT risk is also business risk. Some common IT risks include system outage, denial of service, theft or loss of data, corruption of data, theft of computing resources and virus proliferation. Related business risks are loss of market share, regulatory non-compliance, operational impact, reputation harm and diminished customer confidence.

Even with all the potential threats to businesses today, IT security has shot to the top of the list of the issues keeping financial services executives up at night. Today's operating climate for financial service organisations is one of unprecedented emphasis on risk management. And, although credit and regulatory risks have always existed, financial institutions are now being forced to place new emphasis on formal, documented risk assessment, internal audit, and information technology security.

Is there a need to define what risk management means? A suggestion is: Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organisation in achieving business objectives and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organisation (ISACA, 2005).

Developing a programme

To develop a risk management programme an organisation needs to:

- Establish the purpose of the risk management programme - assists in evaluating the programme's effectiveness

- Agree responsibility for the risk management plan - ie integrating risk management within all levels of the organisation
A risk strategy is mandatory to understand and incorporate risk into the institution, and to assess, mitigate and monitor risk. The eight key areas shown in the box should be addressed when contemplating IT risk.
It is important to realise that IT risk management needs to operate at multiple levels, which include:

- Operational - risks that could compromise the effectiveness of IT systems and their infrastructure

- Project - the ability to understand and manage project complexity

- Strategic - how well the IT capability is aligned with the business strategy, how it compares with that of competitors and the threats and opportunities posed by technological change

As well as the eight key areas listed in the box, we need to consider structures such as the creation of an IT strategy committee, risk management (ie understanding the organisation's overall appetite for risk), and applying the organisation's standard balanced scorecard to IT.

Control frameworks

IT executives in top financial institutions must constantly work to inspire stakeholder confidence. This includes making stakeholders confident about the institution's security and governance programmes. One means of accomplishing that goal is to approach global security in a comprehensive manner by adopting industry standards such as COBIT (Control Objectives for Information and related Technologies), ITIL (Information Technology Infrastructure Library), and ISO/IEC 17799. While Sarbanes-Oxley compliance only directly applies to foreign and domestic SEC registrants, organisations around the world are using the Act's requirements as a baseline for their compliance programmes.
Institutions often struggle with compliance and regulatory issues because, although the regulators give guidance, there is no set script to follow.
The frameworks below can help institutions design a script to ensure compliance with these often-complex regulations.

COBIT was originally released as an IT process and control framework linking IT to business requirements. The COBIT framework was initially used by the assurance community to assess and audit IT controls. Beginning with the addition of management guidelines in 1998, COBIT is now often used as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework. For more information, see www.isaca.org/cobit.htm
ITIL is a framework built around a set of best practices and is very popular in Europe. ITIL bundles core IT-process definitions into integrated, published sets. ITIL's structure enables incremental adoption, which facilitates continuous improvement. For more information see www.itil.co.uk

ISO/IEC 17799 is a comprehensive set of controls comprising best practices in information security. It is essentially an internationally-recognised generic information security standard. This standard concentrates on areas such as security policy, system access controls and compliance. For more information see www.iso-17799.com

While many risk frameworks or IT processes could work for an institution, a combination may be the best answer. The recipe for success may be one part COBIT, two parts ITIL, a dash of ISO/IEC 17799 and a hefty portion of the Capability Maturity Model Integration for Software. Then, wrap all ingredients in the Treadway Commission's Committee of Sponsoring Organisations' (COSO) and bake until done! Organisations should not be afraid to experiment, and keep IT risk management processes fluid, to incorporate the latest framework.

IT governance

IT governance now plays a role in IT risk management strategies. The Information Systems Audit and Controls Association defines IT governance as 'a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes'.

The benefits of a formal IT governance programme include the alignment of business and IT strategy, improved IT risk management, measurable information, consistency and accountability, and improved effectiveness and efficiency in both business and IT.

IT, long considered only an enabler of an organisation's strategy, is now regarded as an integral part of that strategy. CEOs, CFOs and CIOs agree that strategic alignment between IT and enterprise objectives is a critical success factor. IT governance helps achieve this critical success factor by efficiently and effectively deploying secure, reliable information and applied technology.

Reaping the benefits

A sound governance programme can afford your institution the following.

- Alignment of business and IT strategy: cross-departmental communications improve; goals are better realised and known; IT risk will be understood, leading to the achievement of business value.

- Improved risk management: risks are identified and managed within the governance framework.

- Measurable information: key performance indicators with qualified and quantified data are established to measure achievement of objectives, including return on investment.

- Consistency and accountability: standard, consistent policies and procedures are implemented, resulting in efficiency, accountability and cost-savings.
If one were to ask 10 IT risk-management professionals for a definition of an effective IT risk assessment, there would likely be 10 different answers. And were the same 10 professionals asked to list the areas they review when conducting an IT risk assessment, the lists would be very different. It is also a strong bet that not all follow the same control framework.

So what is the lesson in all this? It is a simple one. The key to an effective IT risk strategy for any one financial institution is to use what works for that institution. And the only way to determine that is to experiment, be open to change and share success with others.
Jared Landin is director of technology risk management and Karl Kispert is solutions director, technology risk management for Jefferson Wells, www.jeffersonwells.co.uk

EIGHT KEY AREAS OF FOCUS

1. Application and operating systems controls

- data integrity via management review processes

- business impact and cost/benefits analyses, and user acceptance planning

- product configuration planning and 'defaults' analyses.

2. Business continuity planning

- business impact analyses and management awareness

- alignment of IT and business recovery requirements and capabilities

- independent observation and analysis of disaster recovery tests.

3. Change-management controls/systems development life cycle

- project control reviews - both pre- and post-implementation

- compliance with SDLC methodology.

4. End-user computing

- software licensing compliance

- workstation and document security controls

- end-user awareness programmes

5. General administrative controls

- physical security of offices and computer areas

- fire/water/smoke detection controls

- job descriptions (roles) and segregation of duties.

6. Information security

- comprehensive security policies, standards and procedures

- authentication and authorisation techniques and controls

- accountability, monitoring and follow-up programmes

- database and internal application security controls.

7. Network controls

- internet firewalls and other e-commerce access controls

- remote access, dial-in or dial-out, and e-mail services controls.

8. Operations management

- capacity planning and monitoring

- job scheduling and management reporting

- data input and output management and control